ClassDojo is committed to protecting the privacy and security of our members, users of our
software
tools, and visitors to ClassDojo sites. Our Vulnerability Disclosure Program is intended to
minimize
the
impact any security flaws have on our tools, our hosted services, or their users.
ClassDojo's
Vulnerability Disclosure Program covers two types of software: select software partially or
primarily
written by ClassDojo, and publicly facing software and systems ClassDojo makes use of for
its
websites
and other Internet services.

In addition to the software and systems described below, ClassDojo's Vulnerability Disclosure
Program
applies to security vulnerabilities discovered in any of the following software:

ClassDojo iOS app

ClassDojo Android app

In order to qualify, the vulnerability must exist in the latest public release (including
officially
released public betas) of the software. Only security vulnerabilities submitted through our BugCrowd program will qualify. We would
love it
if people reported other bugs via the appropriate channels, but since the purpose of this
program is
to fix security vulnerabilities, only bugs that lead to security vulnerabilities will be
eligible
for rewards.

In addition to the software described above, ClassDojo's Vulnerability Disclosure Program
applies to
security vulnerabilities discovered in any web services or other public facing software
running on
any of the following domains:

classdojo.com and all subdomains (*.classdojo.com)

classdojo.co.uk

doj.io

dojo.me

These are the vulnerabilities we are looking for:

Cross-site request forgery (CSRF/XSRF)

Cross-site scripting (XSS)

Authentication bypass

Remote code execution

SQL Injection

Privilege escalation

Bugs not listed will be accepted at our discretion. Vulnerabilities in server software such
as
Haproxy or Wordpress, are in scope, if the vulnerability has already been publicly reported,
and a
patch or software update for the vulnerability has been available from the software's
maintainers
for at least 5 days. In order to qualify, the vulnerability must exist in software or a
service that
is actively running on ClassDojo's servers at the time the vulnerability is disclosed. (In
other
words, you won't get a reward just for telling us about the latest CVE, unless we've
neglected to
patch it/update our software 5 days after a fix has been released.) Security vulnerabilities
created
by the specific configuration of software on ClassDojo servers are also in scope under this
program.
Vulnerabilities that require physical access to server hardware are ineligible for
submission.

Please adhere to the following guidelines in order to be eligible for rewards under this
disclosure
program:

Do not permanently modify or delete ClassDojo-hosted data.

Do not intentionally access non-public ClassDojo data any more than is necessary to
demonstrate
the vulnerability.

Do not DDoS or otherwise disrupt, interrupt or degrade our internal or external
services.

Do not share confidential information obtained from ClassDojo, including but not limited
to
member or donor payment information, with any third party.

Social engineering is out of scope. Do not send phishing emails to, or use other social
engineering techniques against, anyone, including ClassDojo staff, members, vendors, or
partners.

In addition, please allow ClassDojo at least 90 days to fix the vulnerability before
publicly
discussing or blogging about it. ClassDojo believes that security researchers have a
First
Amendment right to report their research and that disclosure is highly beneficial, and
understands that it is a highly subjective question of when and how to hold back details
to
mitigate the risk that vulnerability information will be misused. If you believe that
earlier
disclosure is necessary, please let us know so that we can begin a conversation.

Just as important as discovering security flaws is reporting the findings so that users can protect themselves and vendors can repair their products. Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities and build more secure products. Disclosure and peer review advances the state of the art in security. Researchers can figure out where new technologies need to be developed, and the information can help policymakers understand where problems tend to occur.

On the other hand, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a security hole in a computer or system and cause harm. Therefore we ask that you privately report the vulnerability to ClassDojo before public disclosure.

Send an email to security@classdojo.com with information about the vulnerability and detailed steps on how to replicate it. If you'd like a reward for approved submissions, please first request to join our BugCrowd program and submit your finding through that platform.

We will make every effort to respond to valid reports within seven business days when they are submitted through BugCrowd.

The validity of a vulnerability will be judged at the sole discretion of ClassDojo.